Computer Forensics in the Geek Press – A Taxonomy

So COFEE has finally been leaked onto the Internet. It was inevitable and it’s a wonder that it wasn’t released sooner, but nevertheless it marks a sad day for the Law Enforcement computer forensics community. COFEE, if you didn’t know, is Microsoft’s LE-only collection of tools for getting volatile data from a live computer. It stands for ‘Laboured Twee Acronym’. It’s not particularly exciting or special or cool, it’s just a handful of tools, all of which are freely available in one form or another, bundled up so that they run nicely from a USB stick. Nothing to see here, please move along.

So why the long face, as the horse said to the Easter Island monolith? It’s the lolz. It’s all about the lolz, and a decrease thereof. Every so often COFEE is mentioned on a geek-news site like The Register or Slashdot, and whenever this happens, the comments come alive with a thousand angry, confused, wounded monkeys, all in an uproar about the existence of this pernicious tool. Whenever the subject’s been raised among colleagues in the LE forensics community, it’s been a source of mild amusement – this torrent of, for the most part, pompous and ill-informed folk riding a wave of their own indignant foamy spit. All this will be lost, like dribble in the rain, now that they know that COFEE is actually a bit crap.

While pondering this it struck me that there’s an observable taxonomy of Internet folk who respond to any news item on the geek sites about computer forensics. For the elucidation of our species, I give you a breakdown.

The Back-Door Men (BDM)

When COFEE is mentioned, these are the ones who gibber about ‘M$’ leaving backdoors in Windows for cops to sneak into. They disapprove of this, but lay some of the blame with the users themselves – any fool knows that you are only safe from The Man if you run Slackjaw Linux, with a custom-rolled kernel that specifically doesn’t load the ‘gubmint_rootkit’ module.

The Man of Few Words (MoFW)

The MoFW will post a comment of no more than 3 words. MoFW has no time for chit-chat, and will post pithy gems like ‘One word: Truecrypt’ or ‘Cops != hackers’. He’s obviously very busy, as he often seems to have read only the first couple of lines of the article and completely misses the point. I like to picture MoFW as the enemy dude from the Southpark ‘World of Warcraft’ episode:

The Cops Ain’t Shit (TCAS)

This specimen isn’t anti-police per se, but he does think that any police officer trying to do computer forensics is automatically out of their depth. Regardless of how far through an MSc the officer is, or how many years he’s spent churning out technical reports that meet evidential tests beyond a reasonable doubt, in the eyes of the TCAS he’s just a thick bobby fit for nothing but truncheoning hoodies outside the off licence.

TCAS is an expert on the shortcomings of the Police analyst, and will often impart advice such as ‘Just use Firefox – the cops don’t even think to look for it, as they only know about Internet Explorer’. TCAS knows more than anyone thanks to his position as chief tape-changer and ink-swapper at the local shoe recycling company, and will happily give advice on how the police should have handled the investigation.

The Bitter Paedo (TBP)

An odd one. TBP will often admit to having had trouble with the law, but will never say whether they were charged or convicted. Over the course of a few posts he’ll eventually rant about the indignities of having his house searched by officers from the local paedophile unit, and the unfairness of a system that ‘is itself confused over its attitude to children’.
TBP will leap into the debate like a coked-up goth in a moshpit, flailing at anything that doesn’t duck in time. Favourite targets are CEOP (and Jim Gamble especially), Law Enforcement, lawyers, courts, CPS, that bastard from down the road who did him some unspecified wrong, his ex-wife and the rest of this cruel, unfeeling world. He will often hint at imminent legal actions that will vindicate him and bring the system crashing down, but this never seems to actually happen.
TBP often accuses the police of creating anti-paedophile laws because they don’t have enough people to arrest.

The Amused LE Officer (TALEO)

TALEO seldom appears in the comments threads, preferring to watch and comment amongst their own kind from the relative civilisation of the forensic forums. TALEO generally regards the proceedings with amused aloofness, having seen it all before. When he does appear, it’s usually to deliver a gentle smackdown to TCAS.

They all have a bunch of strange letters after their surname (so long as they don’t follow sequentially like ABC or JKL, no-one minds) they don’t actually know each other but they somehow electronically ‘shake’ hands with each other as if they are the best of pals.

Within the LiL there is a LOT of them!

When I first came across them I was astonished to discover that there were literally hundreds of them. How wrong. There are THOUSANDS and they are all joined together by the hip.

After spending 3 days at a forensics conference this week and hanging out with the law enforcement types there, this post cracked me up. COFEE was only mentioned in a single presentation in which a forensics guy from MS was cracking jokes about it. The collective reaction was, “Yawn…” Great classifications.

For the record, I’m a network security guy and am not LE, though I’m in agreement with TALEO.

I admit to having a titter at the commentards, obviously reading El Reg has given them the necessary technical and legal nous to be able to comment on the finer points of forensic analysis. I’m always tempted to put my 2p (all I can afford after added pension contributions) but don’t fancy the almighty shitstorm that starts when someone with actual knowledge dares to correct one of these mighty internet warriors.

But don’t these people know? COFEE is sooo yesterday! We’ve moved onto TEA (Total Electronic Analysis) which lets us exploit all the backdoors in Windows, Linux and Truecrypt to get at all those juicy secrets.

@Synical Sid – funny that about LinkedIn, joined it a little while ago as it was getting pimped around my MSc course – I found it wasn’t quite as good as people were making out. Shameless pimp for my own blog: http://www.jhannon.co.uk/?p=94

Someone (a certain recently retired Grandmaster of LE forensics, I suspect) started picking apart one of the wannabees on a comments thread once, think it was on El Reg – took him to task on basic technical stuff. It was kinda funny :-)

[…] Windows, or the Man of Few Words with his pithy “One word: TrueCrypt” style comments? Happy as a Monkey breaks it all down for us. var addthis_pub = ''; var addthis_language = 'en';var addthis_options […]

[…] might be tricky because there are more factions among them than a Trotskyite convention (see my first ever post) but it’d be fasctinating to see if they talk as much crap in real life as they do […]